It is likely that your company has an obligation to protect the data and the financial information of its customers, clients and/or employees. This may be harder than ever since much of the company’s most of the valuable information now involves some form of network and data connection or storage, and work is conducted electronically over a network.
Many smaller businesses find themselves vulnerable to cyberthieves, mainly because they have limited budgets for data security and few or no technology experts on staff. Costs of a hacking incident or inadvertent disclosure can include: forensic expenses to figure out what happened, how, and what was taken; installing more robust data protection security; data recovery; notifying customers; paying credit monitoring fees for affected customers; hiring a public relations firm to deal with the fall out; perhaps dealing with business interruption from downed technology. There also may be regulatory fees or fines, legal fees and court costs.
Liability for loss or disclosure of customer or employee data is not typically covered under a corporate insurance policy. Some existing business insurance policies that offer general liability, and directors and officers liability, may provide a measure of coverage for those areas, but significant gaps may exist if you are trying to recover from a hacking incident that revealed private information.
Some insurance coverage for cyberliability was offered to technology service providers to cover them for negligence or wrongful acts that led to damages for their clients, including security breaches. Some general commercial insurance policies offered coverage for publication of material that violates a person’s right of privacy.
There has been at least one recent case that denied coverage where the data breach was not a negligent act by the insured, but a deliberate hacker attack. Companies with HIPAA obligations, companies that store credit card information or email addresses and passwords for customers or online retailers especially should review their insurance coverage’s against a hacking or an inadvertent release of private information.
If the general business policies are not adequate for the risks, consider specific cyber liability policies that cover their costs for dealing with a disclosure and also for defending suits from customers or other third parties.
Situations to talk with your insurance agent should include:
Loss or disclosure of personally identifiable employee and customer/client information.
Failure to prevent the entrance or spread of a virus/hacker attack.
Libel, slander and copyright infringement from your website content.
Expenses to respond to a threat to harm or release your data as well as cover ransom payments if necessary (extorition).
In addition, some basic security measures may make your company less vulnerable, such as firewalls and strong passwords that are frequently changed. If employees bring their own devices that connect to the Company networks, those devices need security as well.